Posts

Trump Team’s Extortion Demands To Ukraine Started Before The April 21 Call To Zelensky

/66 Comments/in /by

Jim here.

As we prepare for the release of the “transcript” of Donald Trump’s first phone call to Volodymyr Zelensky, it is important to put the call into perspective with events surrounding it in the overall timeline of the Ukraine events at the center of the impeachment inquiry.

Pressure on Poroshenko Administration: January-February 2019

First, it is extremely important to note that Rudy Giuliani, Lev Parnas and Igor Fruman began their campaign to force Ukraine to re-open their investigation into Burisma and to expand it into an investigation of Joe and Hunter Biden, along with an “investigation” of Ukraine meddling in the 2016 US election, before Zelensky was elected. On Friday, the Washington Post filled us in on more details of that effort:

Two associates of Rudolph W. Giuliani pressed the then-president of Ukraine in February to announce investigations into former vice president Joe Biden’s son and purported Ukrainian interference in the 2016 election in exchange for a state visit, and a lawyer for one of the associates said Friday that they were doing so because Giuliani — acting on President Trump’s behalf — asked them to.

The Giuliani associates, Lev Parnas and Igor Fruman, met with then-Ukrainian President Petro Poroshenko in Kyiv, said Edward B. MacMahon Jr., a lawyer for Parnas. He said they were working on behalf of Giuliani, Trump’s personal lawyer, who was operating on orders from Trump.

“There isn’t anything that Parnas did in the Ukraine relative to the Bidens or the 2016 election that he wasn’t asked to do by Giuliani, who was acting on the direction of the president,” MacMahon said.

The article goes on to note that Ukrainian prosecutor Yuriy Lutsenko was also at this meeting, and that there had even been a meeting of Giuliani, Parnas and Fruman with Lutsenko in January.

As a result of this pressure, Lutsenko announced in March that he would investigate the Bidens. This opened the door for the infamous Ken Vogel hatchet job on the Bidens, published in the New York Times on May 1. Buried deep into the article, Vogel did at least grudgingly admit the previous investigation by Ukraine found nothing and that re-opening the investigation was in response to “pressure”:

The decision to reopen the investigation into Burisma was made in March by the current Ukrainian prosecutor general, who had cleared Hunter Biden’s employer more than two years ago. The announcement came in the midst of Ukraine’s contentious presidential election, and was seen in some quarters as an effort by the prosecutor general, Yuriy Lutsenko, to curry favor from the Trump administration for his boss and ally, the incumbent president, Petro O. Poroshenko.

We now know, as described above, that the pressure was applied primarily through Giuliani, Parnas and Fruman rather that through official channels. Returning to the Post article, here is how those efforts worked out:

At the time of the February meeting, Poroshenko was seeking reelection and wanting an official visit to Washington. He ultimately lost and never announced the investigations that Parnas and Fruman asked about, nor did he get the Washington visit he wanted.

The February meeting was also attended by Ukrainian general prosecutor Yuriy Lutsenko, MacMahon said. Lutsenko said in March he was investigating the Bidens, only to reverse course months later.

So, although Lutsenko announced an investigation, Poroshenko never did. Clearly, to the Trump team, the announcement had to come from the top in order to win the prize of the state visit that, at least in the opinion of the Trump team, would have tipped the election to Poroshenko. However, the Lutsenko announcement apparently was sufficient for Vogel and the Times.

Zelensky Elected April 21, 2019

The election in Ukraine took place on April 21 (although there was a preliminary round with no clear winner on March 31), with Zelensky winning in a landslide, 74% to 24% for Poroshenko. Trump’s call to Zelensky took place on April 21, shortly after Zelensky was declared the winner. Kurt Volker noted the call:


So, on the surface, one would expect a transcript of the call only to reflect congratulations on being elected. Volker didn’t specifically state anything else was covered in the call, but did note the US supports Ukraine’s territorial integrity and “counter [Russian] aggression”, sentiments Trump certainly would not have put into the call or Volker’s statement about it.

Of course, since it’s Donald Trump we’re talking about here, all bets are off on what will be in whatever Trump releases, if he does release something. Recall that Trump has called for Republicans to release their own “transcripts” of committee depositions in a very thinly veiled request for doctored transcripts:


Since Trump often operates via projection, we can’t help wondering whether he plans to do some editing on this “transcript” if it is released.

Pressure on Zelensky Administration Begins in May 2019, Before Inauguration

We must also keep in mind that the pressure on Zelensky’s Administration to investigate the Bidens began well before the July 25 phone call and that the first enticement offered in this extortion was Mike Pence attending the inauguration. From the New York Times:

Not long before the Ukrainian president was inaugurated in May, an associate of Rudolph W. Giuliani’s journeyed to Kiev to deliver a warning to the country’s new leadership, a lawyer for the associate said.

The associate, Lev Parnas, told a representative of the incoming government that it had to announce an investigation into Mr. Trump’s political rival, Joseph R. Biden Jr., and his son, or else Vice President Mike Pence would not attend the swearing-in of the new president, and the United States would freeze aid, the lawyer said.

/snip/

The meeting in Kiev in May occurred after Mr. Giuliani, with Mr. Parnas’s help, had planned a trip there to urge Mr. Zelensky to pursue the investigations. Mr. Giuliani canceled his trip at the last minute, claiming he was being “set up.”

Only three people were present at the meeting: Mr. Parnas, Mr. Fruman and Serhiy Shefir, a member of the inner circle of Mr. Zelensky, then the Ukrainian president-elect. The sit-down took place at an outdoor cafe in the days before Mr. Zelensky’s May 20 inauguration, according to a person familiar with the events. The men sipped coffee and spoke in Russian, which is widely spoken in Ukraine, the person said.

Mr. Parnas’s lawyer, Joseph A. Bondy, said the message to the Ukrainians was given at the direction of Mr. Giuliani, whom Mr. Parnas believed was acting under Mr. Trump’s instruction. Mr. Giuliani said he “never authorized such a conversation.”

Note Rudy’s non-denial: he says he never authorized such a conversation, but doesn’t dispute that it took place. Also note that Zelensky did not announce an investigation and Pence did not attend the inauguration.

Although it isn’t mentioned in this article, Rudy’s sudden decision not to attend the May meeting most likely was because he suddenly feared Igor Kolomoisky. From Buzzfeed:

The 56-year-old billionaire was not just a major supporter of Zelensky’s. He owned the television channel that had broadcast the comedy shows in which the newcomer had once played the part of the president of Ukraine, which had made him a household name.

Parnas and Fruman jetted to Israel in late April to meet Kolomoisky, who was living in self-exile after the previous administration took over a bank he founded amid accusations of fraudulent loans and money laundering. (Kolomoisky has vehemently denied the allegations.)

The meeting went badly.

In an interview, Kolomoisky said he was led to believe Parnas and Fruman wanted to talk about their new export business. Instead, he said, they pushed to meet with Zelensky. “I told them I am not going to be a middleman in anybody’s meetings with Zelensky,” he said to reporters for BuzzFeed News and the Organized Crime and Corruption Reporting Project. “I am not going to organize any meetings. Not for them, not for anybody else. They tried to say something like, ‘Hey, we are serious people here. Giuliani. Trump.’ They started throwing names at me.”

Kolomoisky called Parnas and Fruman “fraudsters” in an interview shortly after the meeting. Soon after, a lawyer for the two men filed a claim for damages and told police in Kiev that the oligarch had threatened their lives.

“It was a threat that we took seriously,” said Parnas.

Giuliani jumped into the dispute, denouncing Kolomoisky in tweets as a “notorious oligarch” who “must be held accountable for threats.”

So Rudy stayed behind on the May trip, sending Parnas and Fruman on their own.

Bottom Line

Even if a “transcript” from the April 21 call from Trump to Zelensky is released and contains no extortion demand from Trump for Zelensky to investigate the Bidens, such a demand was indeed delivered to a Zelensky associate less that a month later by Parnas and Fruman. The threat was then carried out when Pence did not attend Zelensky’s inauguration since no investigation was announced.

 

The Mueller Report Was Neither about Collusion Nor about Completed Investigation(s)

/33 Comments/in , , /by

In the days since BuzzFeed released a bunch of backup files to the Mueller Report, multiple people have asserted these 302s are proof that Robert Mueller did an inadequate investigation, either by suggesting that the information we’re now seeing is incredibly damaging and so must have merited criminal charges or by claiming we’re seeing entirely new evidence.

I’ve had my own tactical complaints about the Mueller investigation (most notably, about how he managed Mike Flynn’s cooperation, but that might be remedied depending on how Emmet Sullivan treats Sidney Powell’s theatrics).  But I have yet to see a complaint that persuades me.

You never know what you can find in the Mueller Report if you read it

Let’s start with claims about how the release revealed details we didn’t previously know. Virtually all of these instead show that people haven’t read the Mueller Report attentively (though some don’t understand that two of the six interview reports we’ve got record someone lying to Mueller, and all are interviews of human beings with imperfect memories). Take this Will Bunch column, which claims that Rick Gates’ claims made in a muddled April 10, 2018 interview reveal information — that Trump ordered his subordinates to go find Hillary emails — we didn’t know.

Rick Gates, the veteran high-level political operative who served as Donald Trump’s deputy campaign manager in 2016, told investigators he remembers exactly where he was — aboard Trump’s campaign jet — when he heard the candidate’s desires and frustrations over a scheme to defeat Hillary Clinton with hacked, stolen emails boil over. And he also remembered the future president’s exact words that day in summer 2016.

Get the emails.”

Gates’ disclosure to investigators was a key insight into the state of mind of a campaign that was willing and eager to work with electronic thieves — even with powerful foreign adversaries like Russia, if need be — to win a presidential election. Yet that critical information wasn’t revealed in Mueller’s 440-page report that was supposed to tell the American public everything we needed to know about what the president knew and when he knew it, regarding Russia’s election hacking.

The passage in question comes from an interview where a redacted section reflecting questions about what Gates knew in May 2016 leads into a section on “Campaign Response to Hacked Emails.” What follows clearly reflects a confusion in Gates’ mind — and/or perhaps a conflation on the part of the campaign — between the emails Hillary deleted from her server and the emails stolen by Russia. The passage wanders between these topics:

  • People on the campaign embracing the Seth Rich conspiracy
  • Don Jr asking about the emails in “family meetings
  • The campaign looking for Clinton Foundation emails
  • Interest in the emails in April and May, before (per public reports) anyone but George Papadopoulos knew of the stolen emails
  • The June 9 meeting
  • Trump exhibiting “healthy skepticism” about some emails
  • The anticipation about emails after Assange said they’d be coming on June 12
  • The fact that the campaign first started coordinating with the RNC because they had details of upcoming dates
  • RNC’s media campaigns after the emails started coming out
  • Trump’s order to “Get the emails” and Flynn’s efforts to do so
  • Details of who had ties to Russia and the Konstantin Kilimnik claim that Ukraine might be behind the hack
  • China, Israel, Kyrgyzstan
  • Gates never heard about emails from Papadopoulos
  • Sean Hannity

This seems to be more Gates’ stream of consciousness about emails, generally, then a directed interview. But Gates’ claim that 1) he didn’t know about emails from Papadopoulos but nevertheless 2) was party to discussions about emails in April and May is only consistent with some of these comments pertaining to Hillary’s deleted emails.

Once you realize that, then you know where to look for the “Get the emails” evidence in the Mueller Report: in the description of Mike Flynn making extensive efforts to get emails — albeit those Hillary deleted.

After candidate Trump stated on July 27, 2016, that he hoped Russia would “find the 30,000 emails that are missing,” Trump asked individuals affiliated with his Campaign to find the deleted Clinton emails.264 Michael Flynn-who would later serve as National Security Advisor in the Trump Administration- recalled that Trump made this request repeatedly, and Flynn subsequently contacted multiple people in an effort to obtain the emails.265

264 Flynn 4/25/18 302, at 5-6; Flynn 5/1/18 302, at 1-3.

265 Flynn 5/1/18 302, at l-3.

The footnotes make it clear that in the weeks after Mueller’s team heard from Gates that Flynn used his contacts to search for emails, they interviewed Flynn several times about that effort, only to learn that that incredibly damning effort to find emails involved potentially working with Russian hackers to find the deleted emails. And to be clear: Bunch is not the only one confused about this detail–several straight news reports have not been clear about what that April 10 interview was, as well.

A November 5, 2016 email from Manafort — which the newly released documents show Bannon wanting to hide that Manafort remained a campaign advisor — is another thing that actually does show up in the Mueller Report, contrary to claims.

Later, in a November 5, 2016 email to Kushner entitled “Securing the Victory,” Manafort stated that he was “really feeling good about our prospects on Tuesday and focusing on preserving the victory,” and that he was concerned the Clinton Campaign would respond to a loss by “mov[ing] immediately to discredit the [Trump] victory and claim voter fraud and cyber-fraud, including the claim that the Russians have hacked into the voting machines and tampered with the results.”937

In other words, there is little to no evidence that the most damning claims (save, perhaps, the one that RNC knew of email release dates, though that may not be reliable) didn’t make the Report.

The Mueller Report is an incredibly dense description of the details Mueller could corroborate

The FOIAed documents are perhaps more useful for giving us a sense of how dense the Mueller Report is. They show how several pages of notes might end up in just a few paragraphs of the Mueller Report. The entirety of the three Gates’ interviews released Saturday, for example, show up in just four paragraphs in the Mueller Report: two in Volume I describing how the campaign made a media campaign around the leaks and how Trump once told him on the way to the airport that more emails were coming.

And two paragraphs in Volume II repeating the same information.

Worse still, because the government has released just six of the 302s that will be aired at the Roger Stone trial starting this week, much of what is in those interviews (undoubtedly referring to how Manafort and Gates coordinated with Stone) remains redacted under Stone’s gag order, in both the 302 reports and the Mueller Report itself.

Shocked — shocked!! — to find collusion at a Trump casino

Then there are people who read the 302s and were shocked that Mueller didn’t describe what the interviews show to be “collusion” as collusion, the mirror image of an error the denialists make (up to and including Bill Barr) in claiming that the Mueller Report did not find any collusion.

As I’ve pointed out since March 2017, this investigation was never about collusion. Mueller was tasked to report on what crimes he decided to charge or not, so there was never a possibility he was going to get into whether something was or was not collusion, because that would fall outside his mandate (and the law).

Worse still, in his summary of the investigation, Barr played a neat game where he measured “collusion” exclusively in terms of coordination by the campaign itself with Russia. It was clear from that moment — even before the redacted report came out — that he was understating how damning Mueller’s results would be, because Roger Stone’s indictment (and communications of his that got reported via various channels) made it crystal clear that he at least attempted to optimize the releases, but that involved coordination — deemed legal in part out of solid First Amendment concerns — with WikiLeaks, not Russia, and so therefore wouldn’t be covered by Barr’s narrow definition of “collusion.”

Of late, I’ve found it useful to use the definition of “collusion” Mark Meadows used in a George Papadopoulos hearing in 2018. In an exchange designed to show that in an interview where George Papadopoulos lied about his ongoing efforts to cozy up to Russia his denial that Papadopoulos, the coffee boy, knew about efforts to benefit from Hillary Clinton’s stolen emails, Meadows called that — optimizing the Clinton releases — “collusion.”

Mr. Papadopoulos. And after he was throwing these allegations at me, I —

Mr. Meadows. And by allegations, allegations that the Trump campaign was benefiting from Hillary Clinton emails?

Mr. Papadopoulos. Something along those lines, sir. And I think I pushed back and I told him, I don’t know what the hell you’re talking about. What you’re talking about is something along the lines of treason. I’m not involved. I don’t know anyone in the campaign who’s involved. And, you know, I really have nothing to do with Russia. That’s — something along those lines is how I think I responded to this person.

Mr. Meadows. So essentially at this point, he was suggesting that there was collusion and you pushed back very firmly is what it sounds like. [my emphasis]

One of the President’s biggest apologists has stated that if the campaign did make efforts to optimize the releases, then they did, in fact, collude.

The Roger Stone trial, which starts Tuesday, will more than meet that measure. It astounds me how significantly the previews of Stone’s trials misunderstand how damning this trial will be. WaPo measures that Mueller failed to find anything in Roger Stone’s actions, which is not what even the indictment shows, much less the Mueller Report or filings submitted in the last six months.

The Stone indictment suggests that what prosecutors found instead was a failed conspiracy among conspiracy theorists, bookended by investigative dead ends and unanswered questions for the team of special counsel Robert S. Mueller III.

And MoJo hilariously suggests we might only now, in the trial, establish rock solid proof that Trump lied to Mueller, and doesn’t even account for how some of its own past reporting will be aired at the trial in ways that are far more damning than it imagines.

Here’s why I’m certain these outlets are underestimating how damning this trial will be.

Along with stipulating the phone and email addresses of Erik Prince and Steve Bannon (meaning communications with them could be entered into evidence even without their testimony, though Bannon has said he expects to testify), the government plans to present evidence pertaining to four direct lines to Trump and three to his gatekeepers.

One way prosecutors will use this is to show that, when Trump told Rick Gates that more emails were coming after getting off a call he got on the way to Laguardia, he did so after speaking directly to Roger Stone. They’ll also date exactly when a call that Michael Cohen witnessed happened, after which Trump said the DNC emails would be released in upcoming days got put through Rhona Graff.

It’s not so much that we’ll get proof that Trump lied to Mueller (and not just about what he said to Stone), though we will absolutely get that, but we’ll get proof that Trump was personally involved in what Mark Meadows considers “collusion.”

The Mueller Report and the ongoing criminal investigations

Both Mueller critics and denialists are also forgetting (and, in some cases, obstinately ignorant) about what the Mueller Report actually represented.

We don’t know why Mueller submitted his report when he did — though there is evidence, albeit not yet conclusive, that Barr assumed the position of Attorney General planning to shut the investigation down (indeed, he even has argued that once Mueller decided he could not indict Trump — which was true from the start, given the OLC memo prohibiting it — he should have shut the investigation down).

A lot has been made of the investigative referrals in the Mueller Report, of which just 2 (Cohen and Greg Craig) were unredacted. We’ve seen just one more of those thus far, the prosecution of George Nader for child porn, a prosecution that may lead Nader to grow more cooperative about other issues. Some of the (IMO) most revealing details in the weekend’s dump were b7ABC FOIA exemptions for materials relating to Alexander Nix and Michael Caputo. Normally, that redaction is used for upcoming criminal prosecutions, so it could be that Nix and Caputo will have a larger role in Stone’s trial than we know. But it also may mean that there is an ongoing investigation into one or both of them.

In addition, investigations of some sort into at least three of Trump’s aides appear to be ongoing.

It is a fact, for example, that DOJ refused to release the details of Paul Manafort’s lies — covering the kickback system via which he got paid, his efforts to implement the Ukraine plan pitched in his August 2, 2016 meeting, and efforts by another Trump flunkie to save the election in the weeks before he resigned — because those investigations remained ongoing in March. There’s abundant reason to think that the investigation into Lev Parnas and Igor Fruman and Rudy Giuliani, whether it was a referral from Mueller or not, is the continuation of the investigation into Manafort’s efforts to help Russia carve up Ukraine to its liking (indeed, the NYT has a piece on how Manafort played in Petro Poroshenko’s efforts to cultivate Trump today).

It is a fact that the investigation that we know of as the Mystery Appellant started in the DC US Attorney’s office and got moved back there (and as such might not even be counted as a referral). What we know of the challenge suggests a foreign country (not Russia) was using one of its corporations to pay off bribes of someone.

It is a fact that Robert Mueller testified under oath that the counterintelligence investigation into Mike Flynn was ongoing.

KRISHNAMOORTHI: Since it was outside the purview of your investigation your report did not address how Flynn’s false statements could pose a national security risk because the Russians knew the falsity of those statements, right?

MUELLER: I cannot get in to that, mainly because there are many elements of the FBI that are looking at different aspects of that issue.

KRISHNAMOORTHI: Currently?

MUELLER: Currently.

That’s consistent with redaction decisions made both in the Mueller Report itself and as recently as last week.

It is a fact that when Roger Stone aide Andrew Miller testified, he did so before a non-Mueller grand jury. When Miller’s lawyer complained, Chief Judge Beryl Howell reviewed the subpoena and agreed that the government needed Miller’s testimony for either investigative subjects besides Stone or charges beyond those in his indictment. Indeed, one of the most interesting aspects of Mueller’s statement closing his investigation is the way it happened as Miller was finally agreeing to testify, effectively ensuring that it would happen under DC, not Muller.

Again, these are all facts. No matter how badly Glenn Greenwald desperately wants to — needs to — spin knowing actual facts about ongoing investigations as denial, it is instead basic familiarity with the public record (the kind of familiarity he has never bothered to acquire). At least as of earlier this year — or last week! — there has been reason to believe there are ongoing investigations into three of Trump’s closest advisors and several others who helped him get elected.

At least two of those investigations continue under grand juries, impaneled in March 2019, that Chief Judge Beryl Howell can extend beyond January 20, 2021.

Why Mueller closed up shop

Nevertheless, it is indeed the case that Mueller closed his investigation after producing a report that showed abundant obstruction by the President, but stated that his investigation “did not establish” that the Trump campaign engaged in coordination or conspiracy with Russia, including regarding a quid pro quo.

In particular, the investigation examined whether these contacts involved or resulted in coordination or a conspiracy with the Trump Campaign and Russia, including with respect to Russia providing assistance to the Campaign in exchange for any sort of favorable treatment in the future. Based on the available information, the investigation did not establish such coordination.

I’d like to end this post with speculation, one not often considered by those bitching about or claiming finality of the Mueller investigation.

In his closing press conference, Mueller emphasized two things: he saw his job as including “preserving evidence” against the President, and he noted that under existing DOJ guidelines, the President cannot be charged until after he has been impeached.

First, the opinion explicitly permits the investigation of a sitting President because it is important to preserve evidence while memories are fresh and documents are available. Among other things, that evidence could be used if there were co-conspirators who could now be charged.

And second, the opinion says that the Constitution requires a process other than the criminal justice system to formally accuse a sitting President of wrongdoing.

In Mueller’s explanation of why he didn’t hold out for an interview with Trump, he said that he weighed the cost of fighting for years to get that interview versus the benefit of releasing a report  with “substantial quantity of information [allowing people] to draw relevant factual conclusions on intent and credibility” when he did.

Beginning in December 2017, this Office sought for more than a year to interview the President on topics relevant to both Russian-election interference and obstruction-of-justice. We advised counsel that the President was a ” subject” of the investigation under the definition of the Justice Manual-“a person whose conduct is within the scope of the grand jury’s investigation.” Justice Manual § 9-11.151 (2018). We also advised counsel that”[ a]n interview with the President is vital to our investigation” and that this Office had ” carefully considered the constitutional and other arguments raised by . .. counsel, and they d[id] not provide us with reason to forgo seeking an interview.” 1 We additionally stated that “it is in the interest of the Presidency and the public for an interview to take place” and offered “numerous accommodations to aid the President’s preparation and avoid surprise.”2 After extensive discussions with the Department of Justice about the Special Counsel’s objective of securing the President’s testimony, these accommodations included the submissions of written questions to the President on certain Russia-related topics. 3

[snip]

Recognizing that the President would not be interviewed voluntarily, we considered whether to issue a subpoena for his testimony. We viewed the written answers to be inadequate. But at that point, our investigation had made significant progress and had produced substantial evidence for our report. We thus weighed the costs of potentially lengthy constitutional litigation, with resulting delay in finishing our investigation, against the anticipated benefits for our investigation and report. As explained in Volume II, Section H.B., we determined that the substantial quantity of information we had obtained from other sources allowed us to draw relevant factual conclusions on intent and credibility, which are often inferred from circumstantial evidence and assessed without direct testimony from the subject of the investigation.

I take that to mean that Mueller decided to end the investigation to prevent Trump’s refusals to testify to delay the release of the report for two years.

In his testimony, Mueller agreed, after some very specific questioning from former cop Val Demings, that Trump was not truthful in his answers to Mueller.

DEMINGS: Director Mueller, isn’t it fair to say that the president’s written answers were not only inadequate and incomplete because he didn’t answer many of your questions, but where he did his answers show that he wasn’t always being truthful.

MUELLER: There — I would say generally.

She laid out what I have — that Trump refused to correct his lies about Trump Tower Moscow, as well as that he obviously lied about his coordination on WikiLeaks. So lies are one of the things the Mueller Report documents for anyone who reads it attentively.

But Trump’s obstruction extends beyond his lies. His obstruction, as described in the Report, included attempts to bribe several different witnesses with pardons, including at minimum Manafort, Flynn, Cohen, and Stone (those aren’t the only witnesses and co-conspirators the evidence shows Mueller believes Trump bribed with promises of pardons, but I’ll leave it there for now).

So here’s what I think Mueller did. I suspect he ended his investigation when he did because he was unable to get any further so long as Trump continued to obstruct the investigation with promises of pardons. So long as Trump remains President, key details about what are egregious efforts to cheat to win will remain hidden. The ongoing investigations — into Manafort and Stone, at a minimum, but possibly into others up to and including the President’s son — cannot go further so long as any prosecutorial effort can be reversed with a pardon.

That said, some of those details will be revealed for the first time starting this week, in the Stone trial. And, if the Parnas and Fruman influence operation is, indeed, related to Manafort’s own, then Trump’s personal criminal involvement in that influence operation is being revealed as part of a parallel impeachment inquiry.

Which is to say that I suspect Mueller got out of the way to allow investigations that cannot be fully prosecuted so long as Trump remains President to continue, even as Congress starts to do its job under the Constitution. And Congress has finally started doing so.

The Ellipses and the Recordings, Plural, of Joe Biden

/132 Comments/in , , /by

Before I get into the NYT report on Alexander Vindman’s testimony that the White House removed damning things from the transcript of the July 25 call, I want to note something from his opening statement. At the end of his description of who he is and what he does, Vindman warned that the impeachment inquiry should carefully balance the need for disclosure against national security concerns.

Most of my interactions relate to national security issues and are therefore especially sensitive. I would urge the Committees to carefully balance the need for information against the impact that disclosure would have on our foreign policy and national security.

Then, when discussing the July 25 call, Vindman emphasized that, because the transcript is in the public record, “we are all aware of what was said.”

On July 25, 2019, the call occurred. I listened in on the call in the Situation Room with colleagues from the NSC and the office of the Vice President. As the transcript is in the public record, we are all aware of what was said.

I was concerned by the call. I did not think it was proper to demand that a foreign government investigate a U.S. citizen, and I was worried about the implications for the U.S. government’s support of Ukraine. I realized that if Ukraine pursued an investigation into the Bidens and Burisma, it would likely be interpreted as a partisan play which would undoubtedly result in Ukraine losing the bipartisan support it has thus far maintained.

Yet immediately following his statement that “we are all aware of what was said,” Vindman asserts that the call was about investigating the Bidens and Burisma. But Burisma doesn’t appear in the TELCON. It is one of the things that, according to the NYT, the White House removed — where it says “the company” in this passage — and he recommended it be put back in.

I understand and I’m knowledgeable .about the situation. Since we have won the absolute majority in our Parliament; the next prosecutor general will be 100% my person, my candidate, who will be approved, by the parliament and will start as a new prosecutor in September. He or she will look into the situation, specifically to the company that you mentioned in this issue. [my emphasis]

NYCSouthpaw had said once this had to be a reference to Burisma — he was absolutely correct.

According to NYT, the ellipsis in this passage of the TELCON,

Biden went around bragging that he stopped the prosecution so if you can look into it …

… Took out a reference to Joe Biden talking about getting Viktor Shokin fired.

The omissions, Colonel Vindman said, included Mr. Trump’s assertion that there were recordings of former Vice President Joseph R. Biden Jr. discussing Ukraine corruption,

[snip]

The rough transcript also contains ellipses at three points where Mr. Trump is speaking. Colonel Vindman told investigators that at the point of the transcript where the third set of ellipses appear, Mr. Trump said there were tapes of Mr. Biden.

Mr. Trump’s mention of tapes is an apparent reference to Mr. Biden’s comments at a January 2018 event about his effort to get Ukraine to force out its prosecutor general, Viktor Shokin. [my emphasis]

The NYT and other outlets have asserted that this is a reference to a video that Rudy Giuliani has been publicly shopping for some time, and it undoubtedly is that, at least.

But I want to suggest the possibility that it’s a reference to more.

The NYT goes to absurd lengths to make this appear as innocuous as possible, seemingly offering up the possibility that the words “the company” appeared because of a failure of the voice recognition software (though the TELCON itself notes that such a possibility would be marked by “inaudible” in the transcript).

It is not clear why some of Colonel Vindman’s changes were not made, while others he recommended were, but the decision by a White House lawyer to quickly lock down the reconstructed transcript subverted the normal process of handling such documents.

The note-takers and voice recognition software used during the July 25 call had missed Mr. Zelensky saying the word “Burisma,” but the reconstructed transcript does reference “the company,” and suggests that the Ukrainian president is aware that it is of great interest to Mr. Trump.

Which is one reason I find it notable that the NYT suggests the reference to recordings refers solely to a single publicly known recording of Biden even though both times they refer to Vindman’s testimony, they refer to tapes or recordings, plural.

The thing is, there are undoubtedly are tapes, plural, of Biden talking about firing Shokin. Indeed, in the recording in question, Biden even says that he had already gotten a commitment from Petro Poroshenko to fire Shokin.

I had gotten a commitment from Poroshenko and from Yatsenyuk that they would take action against the state prosecutor. And they didn’t.

So at the very least, there are the US versions of prior communications in which Biden would have emphasized the importance of firing Shokin. And there may well be other recordings reflecting that the ask happened, for example of Poroshenko talking to Arseniy Yatsenyuk about it. Given that getting Poroshenko to act on corruption was a key focus of Obama’s policy, it would have been a key focus of SIGINT collection. So if we had the ability to collect such conversations, we would have done so. And if we did, those recordings would still be sitting at NSA available to anyone with the need to know.

Trump would have legal access to all of that and, given his focus on Ukraine and “corruption,” an excuse to pull it up. Given that this purported concern about “corruption” is part of the official, stated policy of the US, it is not at all crazy to assume that his aides have pulled existing intercepts pertaining to past discussions of corruption and if they did, they would have, by definition, involved Joe Biden, because he was the one Obama tasked to take care of such issues.

And if there were — and if Trump’s comment reflected knowledge of that — it would explain two other details.

First, Vindman clearly doesn’t think all of the details about this call should be aired publicly. It’s certainly possible that he just didn’t want it to become public that Zelensky had parroted Trump’s demand to investigate Burisma. As I noted, by releasing the transcript, Trump has already made it clear that he succeeded in corrupting Zelensky, who ran on a platform of ending corruption. Revealing that Zelensky was literally repeating the script that Gordon Sondland had dictated for him would make that worse.

It’s also possible that whatever the other two ellipses in the TELCON hide are things he believes should remain secret. Vindman certainly would know what those ellipses hide, even if he didn’t recommend adding those details back in, and surely got asked about it yesterday.

But a national security professional like Vindman would also want to keep any details about intercepts classified. Even just the fact — not at all controversial but not something spoken of in polite company — that the US was sitting on records of Poroshenko’s resistance to dealing with corruption would be the kind of thing Vindman might want to keep secret.

Again, it may be that Vindman’s concerns about airing this dirty laundry involve nothing more than an effort to minimize the damage already done to Zelensky. But it may reflect more specific concerns about sources and methods.

And if the original transcript did reflect sources and methods, it might provide an excuse for John Eisenberg to insist it be stored on the Top Secret server. Again, his decision to do so may extend no further than a desire to cover up the President’s crime. But if the call reflected more sensitive collection, then it would need to be stored on a more secure server. That also might explain why everyone else — except the whistleblower, who wasn’t on the call — treated these details as Top Secret.

The existing TELCON does not hide that Trump was discussing right wing propaganda with Zelensky. So there would be no reason to remove Trump’s reference to another piece of right wing propaganda. But the treatment of it suggests that the TELCON as released removed classified information (the document is titled “Unclassified,” suggesting that if the TELCON included the statements reflected in the ellipses, it’d be Classified). In which case, there may be other recordings, recordings that are classified and aren’t known to every frothy right winger spouting propaganda.

For some reason, the NYT thinks Trump referred to more than one recording of Biden talking corruption. It is not at all unreasonable to imagine he knows of classified recordings.

On the Potential Viability of Foreign Agent Charges for Rudy Giuliani

/40 Comments/in /by

Since the NYT revealed that SDNY is investigating Rudy Giuliani for what they call “lobbying” laws,

Mr. Lutsenko initially asked Mr. Giuliani to represent him, according to the former mayor, who said he declined because it would have posed a conflict with his work for the president. Instead, Mr. Giuliani said, he interviewed Mr. Lutsenko for hours, then had one of his employees — a “professional investigator who works for my company” — write memos detailing the Ukrainian prosecutors’ claims about Ms. Yovanovitch, Mr. Biden and others.

Mr. Giuliani said he provided those memos to Secretary of State Mike Pompeo this year and was told that the State Department passed the memos to the F.B.I. He did not say who told him.

Mr. Giuliani said he also gave the memos to the columnist, John Solomon, who worked at the time for The Hill newspaper and published articles and videos critical of Ms. Yovanovitch, the Bidens and other Trump targets. It was unclear to what degree Mr. Giuliani’s memos served as fodder for Mr. Solomon, who independently interviewed Mr. Lutsenko and other sources.

Mr. Solomon did not immediately respond to a request for comment.

The lobbying disclosure law contains an exemption for legal work, and Mr. Giuliani said his efforts to unearth information and push both for investigations in Ukraine and for news coverage of his findings originated with his defense of Mr. Trump in the special counsel’s investigation.

He acknowledged that his work morphed into a more general dragnet for dirt on Mr. Trump’s targets but said that it was difficult to separate those lines of inquiry from his original mission of discrediting the origins of the special counsel’s investigation.

Mr. Giuliani said Mr. Lutsenko never specifically asked him to try to force Ms. Yovanovitch’s recall, saying he concluded himself that Mr. Lutsenko probably wanted her fired because he had complained that she was stifling his investigations.

“He didn’t say to me, ‘I came here to get Yovanovitch fired.’ He came here because he said he had been trying to transmit this information to your government for the past year, and had been unable to do it,” Mr. Giuliani said of his meeting in New York with Mr. Lutsenko. “I transmitted the information to the right people.”

And since the WSJ reported that Pete Sessions — named as Congressman 1 in the Lev Parnas/Igor Fruman indictment — was cooperating with a grand jury subpoena targeting Rudy,

A grand jury has issued a subpoena related to Manhattan federal prosecutors’ investigation into Rudy Giuliani, seeking documents from former Rep. Pete Sessions about his dealings with President Trump’s personal lawyer and associates, according to people familiar with the matter.

The subpoena seeks documents related to Mr. Giuliani’s business dealings with Ukraine and his involvement in efforts to oust the U.S. ambassador in Kyiv, as well as any interactions between Mr. Sessions, Mr. Giuliani and four men who were indicted last week on campaign-finance and conspiracy accounts, the people said.

Mr. Sessions’ knowledge of Mr. Giuliani’s dealings is a primary focus of the subpoena, the people said.

There has been a closer review of whether it would be possible to indict the President’s personal lawyer under foreign agent laws, with broad consensus that what Rudy is doing is actually covered by FARA — and not just his work for Ukraine, but also (among other places) for Turkey.

But there have been a number of claims that, I think, have been too pat about how easy or hard this is going to be.

Greg Craig, Tony Podesta, Vin Weber, and Bijan Kian are not apt precedents

First, a number of people have looked at how SDNY considered — but did not charge — Greg Craig, Tony Podesta, and Vin Weber under FARA, suggesting the same considerations would hold true with Rudy. Others have looked at Greg Craig (who was prosecuted but acquitted in DC for FARA after SDNY decided not to charge it) and Bijan Kian (who was convicted but then had his conviction thrown out by Judge Anthony Trenga based on the legal theory DOJ used) to suggest these cases are too difficult to charge to get Rudy.

It is absolutely the case that when powerful men with skilled lawyers have been pursued under FARA in recent years, DOJ has succeeded not in trial, but instead has gotten either plea deals or failed at trial (and that may have been one of the facts behind Mueller’s decision to strike a plea deal with Paul Manafort). That is sound evidence that SDNY is no doubt aware of.

But several things distinguish Rudy.

Most notably, all of those earlier cases came before DOJ’s newfound commitment to prosecuting FARA, with Mike Flynn prosecutor Brandon Van Grack taking over where a woman named Heather Hunt had been in charge before. At a minimum, that means a process that originally took place with Craig, Podesta, Weber, and Kian under an assumption that FARA would be treated solely as a registration issue may now be taking place under an assumption that violations of FARA — presumably to include both a failure to register and (what most charges have been so far) false statements under registration — can be prosecuted. That assumption would dramatically change the attention with which DOJ would document their communications, so prosecutors would not now be stuck going to trial (as Craig’s prosecutors were) without having DOJ’s documentation of a key meeting.

Notably, the same thing that triggered the FARA prosecution of Mike Flynn — concerns raised by Congress — happened last year when seven Democratic Senators wrote National Security Division head John Demers asking for a review. So there may well be documentation of Rudy’s claims about whether he does or does not need to register that SDNY is building a prosecution around.

Plus, one thing clearly distinguishes Rudy from all these other men. Rudy is not taking this investigation seriously, and does not have a lawyer reviewing his exposure. From reports, he may not have the ready cash to pay the likes of Rob Kelner (Flynn’s original, very competent, lawyer) or Robert Trout (Kian’s excellent lawyer). So he may be doing things now (not least, running his mouth on TV and making public statements about who he works for and how it gets paid) that put him at greater exposure.

Rudy G’s efforts to implicate State and DOJ (and the President) in his work

That said, another thing distinguishes Rudy from these past cases. Since the whistleblower complaint got made public, he has spent most of his time insisting that everything he did, he did with the awareness and involvement of — at least — the State Department. And in Trump’s July 25 call to Volodymyr Zelensky, he invoked Bill Barr’s name right alongside his nominal defense attorney.

Both foreign agent statutes (FARA — the one being discussed for Rudy, and 18 USC 951 — another one, with more flexibility, that Kian was charged under) require registration with the Attorney General. And while telling foreigners you’re negotiating with that the Attorney General will be by soon to pick up the disinformation demanded does not fulfill the requirements for registry (in part, the point of registering is to provide a paper trail so the public can track who is paying for what), it does change things that Rudy is suggesting that his work has the imprimatur of official policy to it.

That said, the assumption that implicating powerful government figures will keep you safe is a dangerous proposition. If the easiest way to end the Ukraine inquiry is to blame Rudy for it all (and if that’s still possible after several weeks of damning testimony), that may well come to pass.

And if Bill Barr needs to greenlight a FARA prosecution of Rudy as a way to minimize the damage to the Administration, and to himself, he may well do that (yet another reason why he should have recused long ago).

That’s all the more true given that most of Trump’s aides seem to recognize how damaging Rudy is for Trump’s exposure. If Trump won’t separate himself from Rudy, his lackeys might one day decide, then separate Rudy from Trump by prosecuting him, the same way they separated Michael Cohen from Trump.

That said, with Trump, loyalty is always transactional. And if he believes Rudy has dirt that can bring him down — and given the likelihood some of what Rudy is doing is the continuation of what Paul Manafort had been doing since August 2, 2016, that may be true — then Trump will defend Rudy’s work even if it means claiming everything he did operated under Article II authority.

The additional factor: ConFraudUs

The discussions about Rudy’s exposure under FARA, however, seem not to have considered another factor: that Lev Parnas and Igor Fruman have already been charged with conspiracy in conjunction with actions Rudy had a key role in. The Ukrainian grifter indictment charges them with two counts of Conspiracy to Defraud the US for hiding what money was behind their influence campaign on Ukraine (count 1) and Nevada marijuana (count 4), as well as False Statements to the FEC (count 2) and falsification of records (count 3) tied to the Ukraine influence operation. Counts 1-3 all pertain to the Ukrainian grifters laundering of campaign funds through Global Energy Producers, a front that (SDNY alleges) they falsely claimed was “a real business enterprise funded with substantial bona fide capital investment,” the major purpose of which “is energy trading, not political activity.” Those funds went, among other places, to the Trump related Super PAC America First Action and to Congressman Sessions.

Rudy has equivocated about his relationship to the Ukrainian grifters (and claims it goes through Fraud Guarantee, not GEP). But John Dowd, writing as the grifters’ lawyer, already stated for the record that he does have ties and those ties relate to his representation of the President. That is, the grifters are working for him, even while he works for them.

That’s important because Sessions’ statements have denied any official action in response to meetings with the grifters, but he also had meetings with Rudy in the time period, official action in response to which he has not denied. In addition, Rudy (whom Sessions says he has been friends with for three decades) also headlined a fundraiser for Sessions. And on top of the straw donations the grifters gave Sessions directly, America First Action gave Sessions far more to him, $3 million, the indictment notes twice.

In other words, while Sessions has denied doing anything in response to the grifters’ meetings, he has not denied doing anything in response to Rudy’s communications with him. If he sent his letter calling for the ouster of Marie Yovanovitch in response to a request from Rudy — whose finances are inextricably tied to the grifters — then it may be fairly easy to add him to the conspiracy the (successful) object of which was to get Yovanovitch fired. The propaganda Rudy sent (as laid out by NYT, and which the State IG already sent to the FBI earlier this year) would then simply be part of the conspiracy.

A few more points. There’s a passage of the indictment included to substantiate the allegation that the grifters were affirmatively trying to hide their purpose.

Indeed, when media reports about the GEP contributions first surfaced, an individual working with PARNAS remarked, “[t]his is what happens when you become visible … the buzzards descend,” to which PARNAS responded, “[t]hat’s why we need to stay under the radar…”

The indictment doesn’t disclose a number of details about this communication: who the interlocutor is, how it was collected, and whether it involved a mere warrant (for stored communications such as email or texts) or a wiretap. But particularly given the seeming overlap between these activities and those of people we know were surveilled during the period in question, it’s a pregnant inclusion in the indictment. It suggests the Feds may already be privy to far more about this scheme and the reasons the grifters might want it suppressed. Add that to the fact that, as WSJ reported, the Feds already have Rudy’s bank records, which will show whether he really worked for Fraud Guarantee or whether that, like GEP, is just a front.

Cui bono

Finally, consider this. The indictment says that the grifters were pushing to oust Yovanovitch to benefit  particular unnamed Ukrainians’ interests.

[T]hese contributions were made for the purpose of gaining influence with politicians so as to advance their own personal financial interests and the political interests of Ukrainian government officials, including at least one Ukrainian government official with whom they were working.

[snip]

At and around the time PARNAS and FRUMAN committed to raising those funds for [Sessions], PARNAS met with [SESSIONS] and sought [his] assistance in causing the U.S. Government to remove or recall [Yovanovitch]. PARNAS’s efforts to remove the Ambassador were conducted, at least in part, at the request of one or more Ukrainian government officials.

According to NBC, the Ukrainian in question was Yurii Lutsenko. But Lutsenko has since been ousted, and he has reneged on statements elicited by Rudy implicating the Bidens. More importantly, one of the promises Zelensky made in his July 25 call to Trump was to put in his own prosecutor who would pursue the two investigations — to trump up a claim Ukraine was behind the election tampering in 2016, and to invent evidence against Hunter Biden — that Trump wanted.

The President: Good because I heard you had a prosecutor who was very good and he was shut down and that’s really unfair. A lot of people are talking about that, the way they shut your very good prosecutor down and you had some very bad people involved. Mr. Giuliani is a highly respected man. He was the mayor bf New York Ci:ty, a great mayor, and I would like him to call you. I will ask him to call you along with the Attorney General. Rudy very much knows what’s happening and he is a very capable guy. If you could speak to him that would be great. The former ambassador from the United States, the woman, was bad news and the people she was dealing with in the Ukraine were bad news so I just want to let you know that. The oteer thing, There’s a lot of talk about Biden’s son. that Biden stopped the prosecution and a lot of people want to find out about that so whatever you can do with the Attorney General would be great. Biden went around bragging that he stopped the prosecution so if you can look into it … It sounds horrible to me.

President Zelenskyy: I wanted to tell ·you about the prosecutor. First of all I understand arid I’m knowledgeable about the situation. Since we have won the absolute majority in our Parliament; the next prosecutor general will be 100% my person, my candidate, who will be approved, by the parliament and will start as a new prosecutor in September. He or she will look. into the situation, specifically to the company that you mentioned in this issue.

Which is what led to Lutsenko’s ouster.

Moreover, the prosecutor Biden shut down was not Lutsenko, but Viktor Shokin, who has written affidavits which then got fed to John Solomon on behalf of Dmitry Firtash, who is trying hard to avoid extradition (on bribery charges) to the US.

That — plus the financial and legal ties between Firtash and the grifters — suggests there may be other Ukrainians on whose behalf the grifters were working to get Yovanovitch withdrawn. Firtash is certainly one. A corrupt prosecutor with ties to Russian intelligence, Kostiantyn Kulyk, who had worked for all these guys — and who is behind a dossier on accusing Hunter Biden of corruption — may be another. That is, Yovanovitch may have been the impediment not to inventing dirt on the Bidens, which is a fairly easy ask, but instead on creating the pre-conditions for people like Firtash to go free (which would also explain the natural gas angle).

All of which is to say that it would be a fairly trivial matter to establish the evidence to charge Rudy in ConFraudUs along with the Ukrainian grifters, as SDNY already has a lot of the evidence it would need.

Yes, Rudy Giuliani is, by all appearances, in blatant violation of FARA. Yes, he may get away with that, in part because DOJ hasn’t yet figured out hard to charge it consistently (though knows what not to do given recent history), and in part because he has made sure to implicate Trump and his cabinet officials.

But there’s a larger question about whether those same financial ties expose Rudy for much uglier conspiracy charges.

Nyetya: Sanctions and Taxes

/8 Comments/in /by

In my first post on the Nyetya/NotPetya attack launched in Ukraine last week, I suggested the attack looked a lot like a digital sanctions regime and pointed out that the malware had been compiled not long after the US Senate tried to pass new sanctions.

On June 14, the Senate passed some harsh new sanctions on Russia, ostensibly just for Russia’s Ukrainian and Syrian related actions, not for its tampering in last year’s US election. The House mucked up that bill, but the Senate will continue to try to impose new sanctions. Trump might well veto the sanctions, but that will cause him a great deal of political trouble amid the Russian investigation.

The Petya/NotPetya malware was compiled on June 18.

Update: I should add that Treasury added a bunch of people to its Ukraine-related sanctions list on June 20.

In her first post on it, Rayne focused on how the loss of MEDoc’s tax software might effect payments in Ukraine (though she remained open about other attackers besides Russia).

But the US wasn’t the only country that has moved towards imposing new sanctions on Russia. Ukraine did so too, back on May 15. Petro Poroshenko targeted a number of Russian tech brands — most spectacularly, VK, mail.ru, and Yandex, which are among the most popular sites in Ukraine. The Ukrainian president also banned Kaspersky, as American politicians are moving closer to doing. Most interestingly, Poroshenko banned 1C, maybe the equivalent of Microsoft’s Office suite.

A decree by Poroshenko posted late on Monday expanded sanctions adopted over Russia’s annexation of Crimea and backing of separatists in eastern Ukraine to include 468 companies and 1,228 people. Among them were the Russian social networks VK and Odnoklassniki, the email service Mail.ru and the search engine company Yandex, all four of which are in the top 10 most popular sites in Ukraine, according to the web traffic data company Alexa. The decree requires internet providers to block access to the sites for three years.

Poroshenko’s decree also blocked the site of the Russian cybersecurity giant Kaspersky Labs and will ban several major Russian television channels and banks, as well as the popular business software developer 1C.

In a post on his official page on VK, Poroshenko said he had tried to use Russian social networks to fight Russia’s “hybrid war” and propaganda.

1C is a competitor to MEDoc, the patient zero of the attack. (h/t Jeff Vader)

After Poroshenko imposed sanctions, Putin’s spox warned Ukraine had forgotten the principle of reciprocity.

Vladimir Putin’s spokesman told journalists that he wasn’t prepared to say but that Russia had not “forgotten about the principle of reciprocity”.

Now consider these other details.

It turns out that MEDoc had already sent out several malicious updates which backdoored the software and collected the unique business identifier of the victims, as well as credentials.

During our research, we identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc’s legitimate modules. It seems very unlikely that attackers could do this without access to M.E.Doc’s source code.

The backdoored module has the filename ZvitPublishedObjects.dll. This was written using the .NET Framework. It is a 5MB file and contains a lot of legitimate code that can be called by other components, including the main M.E.Doc executable ezvit.exe.

We examined all M.E.Doc updates that were released during 2017, and found that there are at least three updates that contained the backdoored module:

  • 01.175-10.01.176, released on 14th of April 2017
  • 01.180-10.01.181, released on 15th of May 2017
  • 01.188-10.01.189, released on 22nd of June 2017

The incident with Win32/Filecoder.AESNI.C happened three days after the 10.01.180-10.01.181 update and the DiskCoder.C outbreak happened five days after the 10.01.188-10.01.189 update. Interestingly, four updates from April 24th 2017, through to May 10th 2017, and seven software updates from May 17th 2017, through to June 21st 2017, didn’t contain the backdoored module.

Since the May 15th update did contain the backdoored module and the May 17th update didn’t, here is a hypothesis that could explain low infection Win32/Filecoder.AESNI.C ratio: the release of the May 17th update was an unexpected event for the attackers. They pushed the ransomware on May 18th, but the majority of M.E.Doc users no longer had the backdoored module as they had updated already.

[snip]

Each organization that does business in Ukraine has a unique legal entity identifier called the EDRPOU number (Код ЄДРПОУ). This is extremely important for the attackers: having the EDRPOU number, they could identify the exact organization that is now using the backdoored M.E.Doc. Once such an organization is identified, attackers could then use various tactics against the computer network of the organization, depending on the attackers’ goal(s).

[snip]

Along with the EDRPOU numbers, the backdoor collects proxy and email settings, including usernames and passwords, from the M.E.Doc application.

Note, that May 15 attack was actually earlier in the day, before Poroshenko announced the sanctions against Russia.

Talos used logs it obtained from MEDoc to confirm that it backdoored the victims, collecting data from targeted machines.

But then it makes what I consider a logical jump (albeit an interesting one): invoking something similar that happened with Blackenergy, it argues that the hacker that had backdoored MEDoc has lost the intelligence functionality of the MEDoc back door, so it must have a replacement at the ready. As a result, Talos basically suggests that businesses should treat anything touching Ukraine as if it has or soon will have digital cooties.

In short, the actor has given up the ability to deliver arbitrary code to the 80% of UA businesses that use M.E.Doc as their accounting software, along with any multinational corporations that leveraged the software.  This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor.

Based on this, Talos is advising that any organization with ties to Ukraine treat software like M.E.Doc and systems in Ukraine with extra caution since they have been shown to be targeted by advanced threat actors.  This includes providing them a separate network architecture, increased monitoring and hunting activities in those at-risk systems and networks and allowing only the level of access absolutely necessary to conduct business.  Patching and upgrades should be prioritized on these systems and customers should move to transition these systems to Windows 10, following the guidance from Microsoft on securing those systems.  Additional guidance for network security baselining is available from Cisco as well.  Network IPS should be deployed on connections between international organizations and their Ukrainian branches and endpoint protection should be installed immediately on all Ukrainian systems.

That may be right. But I’m not sure this analysis considers Rayne’s point: that by basically taking out crucial tax software used by 80% of the Ukrainian market (indeed, Ukrainian authorities raided the company in a showy SWAT raid today), you will presumably have some effect on the collection of taxes in Ukraine, something AP’s reporter reporting from Ukraine, Raphael Satter, says he has seen anecdotal evidence of already.

So, sure, the MEDoc attacker lost the back door into 80% of the companies doing business in Ukraine. But the attacker may have hurt Ukraine’s ability to collect taxes, even while destroying the Ukrainian competitor to one of the companies targeted in May, imposing tremendous costs on doing business in Ukraine, and leading security advisors to recommend treating Ukraine like it has cooties going forward.

As with my first post on this, I’m still really just spit balling.

But one thing we know about Russia: it wants to find a way to end the sanctions regimes against it, and helping Donald Trump get elected thus far hasn’t done the trick.

Update: Malware Tech, the guy who sinkholed WannaCry, points to his data showing declining WannaCry infections in Ukraine and Russia, which he says shows the effect of the Nyetya infections replacing WannaCry ones. That suggests the impact in Russia is real, contrary to some public comments.

Update: Bleeping Computers describes victims installing old versions of MEDoc because it is so central to their business operations.

With the M.E.Doc servers down, Bleeping Computer was told that most Ukrainian companies are now sharing older versions of the M.E.Doc software via Google Drive links. The software provided by Intellect Service is so crucial to Ukrainian companies that even after the NotPetya outbreak, many businesses cannot manage their finances without it, despite the looming danger of another incident.

Because of the way the software is currently shared between some usrs, Ukrainian companies are now exposing themselves to even more dangerous threats, such as installing boobytrapped M.E.Doc versions from unofficial sources like Dropbox or Google Drive.